From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Anand Raj Manickam <anandrm@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface
Date: Fri, 11 Oct 2013 13:03:44 +0200 [thread overview]
Message-ID: <20131011110344.GB18505@localhost> (raw)
In-Reply-To: <CAEyr1FQ51A71gtx6Gb_nf4mLCOftRZCYUoVGtR_ft6cmWzKVRg@mail.gmail.com>
On Fri, Oct 11, 2013 at 03:37:34PM +0530, Anand Raj Manickam wrote:
> On Fri, Oct 11, 2013 at 3:20 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Fri, Oct 11, 2013 at 03:05:05PM +0530, Anand Raj Manickam wrote:
> >> On Fri, Oct 11, 2013 at 1:45 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >> > On Fri, Oct 11, 2013 at 11:34:04AM +0530, Anand Raj Manickam wrote:
> >> >> This patch fixes the issue where , the Rules are added for non
> >> >> existent interface and unable to delete.
> >> >> eg xtables -t nat -I POSTROUTING -o eth10.10 -j MASQUERADE , allows
> >> >> you to add the rule , where eth10.10 interface is not created.
> >> >> But will not allow to delete as the label maps to * by if_nametoindex().
> >> >
> >> > This patch doesn't apply:
> >> >
> >> > patch -p1 < /tmp/anand.patch
> >> > patching file iptables/nft-shared.c
> >> > patch: **** malformed patch at line 6: *iface, int invflags)
> >> >
> >> > Please, no need to split things in that many chunks per file. One
> >> > single patch file to address one thing is just fine, the repository
> >> > has to remain in consistent state between patches.
> >> >
> >> > Thanks.
> >>
> >> Merged all into a single patch.
> >
> > I still think this still breaks -i eth+ matching, as there was special
> > handling for that case.
>
> Can you share me the exact case ? It does NOT work on rules added before patch.
>
> The patch looks good on my setup..
> xtables -I INPUT -i eth+ -j ACCEPT
>
> xtables -L INPUT -nv
> Chain INPUT (policy ACCEPT 142K packets, 19M bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth+ * 0.0.0.0/0
> 0.0.0.0/0
>
> # xtables -D INPUT -i eth+ -j ACCEPT
> comparing with... -A INPUT -c 0 0 -i eth+ -j ACCEPT
> DEBUG: rule: ip filter INPUT 29 0
> [ meta load iifname => reg 1 ]
> [ cmp eq reg 1 0x2b687465 ]
> [ counter pkts 0 bytes 0 ]
> [ immediate reg 0 1 ]
I guess that seems to work by adding/removing rules, but packet
matching won't work since from the kernel side it will strictly
compare the string, eg. eth0 == eth+.
Note that eth+ means we want to match all interfaces starting by 'eth'
prev parent reply other threads:[~2013-10-11 11:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-11 6:04 [PATCH] iptables-nftables nft: Removes if_nametoindex ,NFT_META_OIF for outiface Anand Raj Manickam
2013-10-11 8:15 ` Pablo Neira Ayuso
2013-10-11 9:35 ` Anand Raj Manickam
2013-10-11 9:50 ` Pablo Neira Ayuso
2013-10-11 10:07 ` Anand Raj Manickam
2013-10-11 11:03 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131011110344.GB18505@localhost \
--to=pablo@netfilter.org \
--cc=anandrm@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.